COSO Map Template
Documenting Internal Control Evaluations
The COSO Framework sets out five Components of internal control and seventeen Principles
representing the fundamental concepts associated with Components. These Components and
Principles of internal control are suitable for all entities and groups of people. All seventeen
Principles also apply to each Category of Objective, as well as to objectives and sub-objectives
within a Category.
Additionally, the Control Activities Component of control represents the actions established by
policies and procedures to help ensure that management directives carried out. These Control
Activities are performed at all levels of the entity and extend down into the organization to the
business processes and transactional level, and over the technology environment.
Documentation of internal controls can be done using two tools, the COSO Template (for entitylevel controls) and the Risk Control Matrix (for activity-level controls). This is depicted below.
Larry Hubbard © 2014 03
Page 1
COSO Map Template
COSO Map Template
(For Documenting Entity-Level Controls)
Internal or Control Environment (5 principles) - the CE is the set of standards, processes,
and structures that provide the basis for carrying out internal control across the
organization. The board of directors and senior management establish the tone at the top
regarding the importance of internal control and expected standards of conduct.
Principle
Control Mechanisms
CE1 Integrity and Ethical Values. The organization
demonstrates a commitment to integrity and ethical values
(Codes of conduct, mission and values statements, procedures
to determine and deal with ethical compliance, conflict of
interest committees)
CE2 Independent BOD. The board demonstrates
independence from management and exercises oversight
of the development and performance of internal control.
(Frequency of challenges to management, interactions with
auditors and management, direction given to external auditors,
level of independence, clarity of charters and levels of expertise
needed, role in whistle-blowing procedures, reviews of financial
information, clarity of governance processes, oversight of
internal control)
CE3 Roles and Responsibilities. Management establishes,
with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit
of objectives. (Organization charts showing reporting lines,
project teams, quality circles, focus groups, committee
structures, organizational design functions, limits of authority,
approval processes, controls over management overrides,
delegations of authority, accountability mechanisms,
responsibility matrices such as RACI charts)
CE4 Commitment to Competence. The organization
demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
(Analysis of skills required for jobs, job descriptions, training
and development efforts, professional development programs,
mentoring and coaching programs, succession planning,
employment contracts, evaluating outsourced providers)
CE5 Accountabilities. The organization holds individuals
accountable for their internal control responsibilities in the
pursuit of objectives. (Organization-wide human resource
policies and standards, hiring and selection procedures,
employee termination procedures, salary and bonus systems
Larry Hubbard © 2014 03
Page 2
COSO Map Template
based on performance measures, background checks,
personnel evaluation systems, upward and 360 feedback
processes, employee self-assessment processes, remedial
actions for poor work, alignment of risks and rewards)
ERM-IE6 COSO ERM Added: Risk management
philosophy, appetite, culture and tolerance
Risk Assessment - Objectives, Risks, and Responses (4 principles) – Risk assessment
involves a dynamic and iterative process for identifying and analyzing risks to achieving
the entity’s objectives, forming a basis for determining how risks should be managed.
Management considers possible changes in the external environment and within its own
business model that may impede its ability to achieve its objectives.
RA6 Objective Setting. The organization specifies objectives
with sufficient clarity to enable the identification and assessment
of risks relating to objectives. (Strategic and directional
objectives; SMART objectives; prioritization of objectives;
alignment of mission statements, vision statements, and
objectives; sub-unit and departmental and process-level
objectives.)
RA7 Risk Identification and Assessment. The organization
identifies risks to the achievement of its objectives across
the entity and analyzes risks as a basis for determining how
the risks should be managed. (Surveys, discussions and
meetings with appropriate personnel to identify risk events;
estimating severity of potential risks; procedures to consider what
could go wrong at entity- and activity- and process-levels;
management making decisions to accept, avoid, reduce or share
risks based on cost, benefit, impact and likelihood)
RA8 Fraud Risks. The organization considers the potential
for fraud in assessing risks to the achievement of objectives.
(Fraud committee activities, identification of risks due to: asset
misappropriations, corruption, fraudulent statements; fraud
workshops; fraud prevention programs; assessing opportunities
and incentives)
RA9 Impact of Changes. The organization identifies and
assesses changes that could significantly impact the system
of internal control. (Mechanisms, discussions and meetings to
identify risks due to changes in external conditions, business
model, and leadership; impact of business process changes)
ERM-RA10 Added: Distinguishing risks and opportunities
and a portfolio view of risks.
Larry Hubbard © 2014 03
Page 3
COSO Map Template
Note: Management making decisions to accept, avoid, reduce or
share risks based on cost, benefit, impact and likelihood is part of
internal control, but the actions undertaken to share or reduce the
significance or likelihood of a risk (that is, risk responses) are part
of the management process, not an element of internal control. In
COSO ERM these are identified as the risk responses
component.
Control Activities (3 principles) – CA’s are the actions established by policies and
procedures to help ensure that management directives to mitigate risks to the
achievement of objectives are carried out. CA’s are performed at all levels of the entity and
at various stages within business processes, and over the technology environment.
Note: Control Activities are the most voluminous Component of internal control (in terms of
control mechanisms). They extend from the entity-levels down to the business process and
transactional levels for all parts of the organization, and relate to all operational, reporting and
compliance objectives. Generally, first understanding the entity-level control mechanisms in the
other four Components of control will prepare for an evaluation of the control mechanisms in
place for the Control Activities Component (a top-down approach.) Alternatively, a bottom-up
approach, where Control Activities are evaluated before the entity-level Components are
understood, may lead to duplication of work in identifying the controls in place to mitigate risks.
CA10 Selection of Control Activities to Address Risks. The
organization selects and develops CA’s that contribute to
the mitigation of risks to the achievement of objectives to
acceptable levels. Integrated with Risk Assessment at
transaction-processing and higher levels. (Reconciliations;
physical safeguarding and access controls; comparisons and
counts; matching of documents; supervisory approvals;
transaction and credit limits, business process and transactional
controls to ensure completion, accuracy, validity; segregation of
incompatible duties; manual and automated controls over how
transactions are initiated, authorized, recorded, processed and
reported; controls over period-end financial reporting; tests of
disaster recovery plans; formal document retention schedules;
Controls specific to certain industries: Federal Acquisition
Regulations; Joint Commission on Accreditation of Healthcare
Organizations (JCAHO) standards; national and regional
accreditation for universities)
Most of the mechanisms to
carry out these CA’s will exist
within the business activities
(including business and
transactional processing
systems) across the
organization and are unique
to those activities. Thus, they
cannot all be listed here. An
activity-level risk and control
matrix can be used for each
activity. (See end of
document)
CA11 General Controls over Technology. The organization
selects and develops general controls activities over
technology to support the achievement of objectives. (IT
infrastructure, general and application controls; program
development and change controls; access controls to programs
and data; computer operations controls; acquisition,
Larry Hubbard © 2014 03
Page 4
COSO Map Template
development and maintenance processes; tests of IT
contingency plans; passwords and user identifiers and privileges;
areas defined in COBIT and Global Technology Audit Guide
(GTAG) control models)
CA12 Deploys through Policies and Procedures. The
organization deploys control activities through policies that
establish what is expected and procedures that put policies
into action. (Procedure manuals, desk manuals, instruction
books; help screens; annual and long-term budgeting
procedures; standardized contracts; chart of accounts structures;
procedures for analytical analyses such as relating operating and
financial data; procedures for organization-wide reviews and
monitoring of budgets; earnings meetings and reviews of
operating results; disclosure committee activities; reviews of
public reports by management, other reviews of organization
functions, operations, or procedures; reviews of policies for
continued relevance)
Note: some management initiatives are full-scale methodologies
designed to achieve business objectives. Examples of these
initiatives are shown below as control activities, but in practice
they supply controls to all the COSO components. If present in an
organizational unit, their activities and controls can be mapped to
the relevant COSO components to provide a consistent
framework for an evaluation of control across the whole
organization.
Other-CA Some management and quality initiatives are
entity-wide methodologies designed to help achieve
business objectives. For instance ISO 9000, 10000, 14000,
31000 certifications; Malcolm Baldrige quality programs; Total
Quality Management efforts; Balanced Scorecard systems,
Enterprise Risk Management; compliance with Sarbanes-Oxley
and Basel Accords; Management by Objectives; Six Sigma
programs; Occupational Health, Safety and Environment
programs; Learning Organizations; Key Performance Indicators
(KPI) and Key Success Factor (KSF) programs; security, legal
and regulatory compliance functions.
Information and Communication (3 principles) – Information is necessary for the entity to
carry out internal control responsibilities in support of achievement of its objectives.
Communication occurs both internally and externally and provides the organization with
the information needed to carry out day-to-day controls. Communication enables
personnel to understand internal control responsibilities and their importance to the
achievement of objectives.
Larry Hubbard © 2014 03
Page 5
COSO Map Template
IC13 Gathering and Using Relevant Information. The
organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
(Surveys to gauge knowledge of code of conduct, clarity of
objectives, other information about Principles of control; using
suggestion boxes, discussion boards, intranet websites, customer
websites, and portals to obtain information; market share reports,
competitor analysis; other companies earnings releases, annual
reports, 10K’s; monitoring social websites for information; ERP
systems, EDI information exchange systems, information data
bases, and other methods to process information and be sure it is
accurate)
IC14 Internal Communications. The organization internally
communicates information, including objectives and
responsibilities for internal control, necessary to support the
functioning of internal control. (Personnel announcements;
internal newsletters; formal policy and procedure systems;
management guides; scheduled management presentations;
open forum meetings, all hands and departmental meetings; video
and telephone message broadcasts; executive lunches with
employees; separate lines of communication; management
messages about security, ethics, citizenship, policies, risks,
controls, policies, objectives, strategies, values; Board of Director
meetings; metrics, balanced scorecards, dashboards)
IC15 External Communications. The organization
communicates with external parties regarding matters
affecting the function of internal control. (Customer forums;
external surveys; analyst meetings; external websites,
publications and newsletters; hotlines; independent assessment
of outsourced providers; independent auditors reports; results of
regulatory reviews and audits; postings on social media websites
and company website; accreditation reviews; OSHA reviews;
examiners)
App-IC Most business areas depend on an underlying IT
application for daily or routine transaction processing. Such
applications help manage the transactional volume, and their
controls are considered in CA10 and CA11.
Monitoring Activities (2 principles) – Ongoing evaluations, separate evaluations or some
combination of the two are used to ascertain whether each of the five components of
internal control, including controls to effect the Principles within each component, is
present and functioning. Findings are evaluated and deficiencies are communicated in a
timely manner, with serious matters reported to senior management and to the board.
Larry Hubbard © 2014 03
Page 6
COSO Map Template
Note: Monitoring in COSO relates to assessing the operation of internal control and risk
management processes, as opposed to Control Activities such as top-level reviews, forecasts
and budgets which are entity-wide control activities.
MA16 Ongoing and Separate Evaluations of Components.
The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of
internal control are present and functioning. (Asking questions
while walking around; discussing Principles of controls with
employees; talking with customers about employee conduct;
supervisor observations; periodic reviews by internal auditors,
quality auditors, and specialists; internal security reviews;
reviewing maturity models and key performance indicators over
time for changes; benchmarking studies; self-assessments;
understanding the monitoring performed by out-sourced service
providers and its impact on internal controls)
MA17 Reporting of Deficiencies in Control. The organization
evaluates and communicates internal control deficiencies in
a timely manner to those parties responsible for taking
corrective action, including senior management and the
board of directors, as appropriate. (Distributing reports on
evaluations to senior management and the Board; follow-up on
control gaps and problems that occur; open issues lists; status
reporting on audit and other reviews and studies; fraud reporting
and investigation mechanisms)
The above was accumulated from Internal Control - Integrated Framework (2013) and Enterprise
Risk Management (ERM) - Integrated Framework (2004).
Larry Hubbard © 2014 03
Page 7
COSO Map Template
Activity-Level Risk/Control Matrix
(For Documenting Control Activities Component of Control)
Control Activities are the most voluminous Component of internal control (in terms of control
mechanisms). They extend from the entity-levels down to the business process and transactional
levels for all parts of the organization, and relate to all operational, reporting and compliance
objectives. Generally, first understanding the entity-level control mechanisms in the other four
Components of control will prepare for an evaluation of the control mechanisms in place for the
Control Activities Component (a top-down approach.) Alternatively, a bottom-up approach, where
Control Activities are evaluated before the entity-level Components are understood, may lead to
duplication of work in identifying the controls in place to mitigate risks.
Larry Hubbard © 2014 03
Page 8